The General Data Protection Regulation (GDPR) is a piece of legislation heard ’round the world, even though it is a European Union (EU) law. That’s because the law governs how data on EU citizens can be collected, stored, and used by any business or organization in the world, including publishers and website owners. Still, there are many questions about how much — or even if — the law applies to small to medium-sized businesses (SMBs).
So, let’s answer a popular question: “Does GDPR apply to small businesses?” The answer is “Yes.” Small to medium-sized businesses are under the same telescope as large corporations when it comes to GDPR.
Still, there seems to be some misinformation or misunderstanding by small business owners about their compliance. A 2019 study showed that about half of small businesses in Europe were not compliant with GDPR — one year after the law went into effect. SMBs outside of the EU may be even more in the dark about the law because they don’t believe that the European law can affect them.
If you’re collecting personal data from people in the EU, you fall within the scope of the GDPR’s reach. To make sure your business is compliant, we’ve put together this beginner’s guide to GDPR for small businesses.
GDPR for SMBs: The Basics
Your SMB might seem like small potatoes in the larger scheme of things, but the GDPR still applies. There is somewhat of an exemption for businesses with fewer than 250 employees, but it doesn’t let SMBs totally off the hook.
What this exemption does is curb the requirement under Article 30 that you must keep records of your data processing activities. This applies to organizations with fewer than 250 employees, unless:
“…the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.”
In other words, if your data processing for EU citizens is frequent, could risk someone’s rights or freedoms, or falls within a special data category listed in Article 9, you’ll still need to keep records.
Furthermore, your SMB may not need to appoint a Data Protection Officer (DPO) like larger businesses that collect data on a large scale do. You can learn more about that requirement in Article 37.
There is no full exemption from GDPR for small businesses, so other areas of the law are ones you’ll need to comply with if you collect data from EU individuals. Even if you own a small blog with visitors from the EU, this could apply to you.
Ensuring compliance from the moment you have your site up and running can save a lot of headache down the line. And once you become compliant, you’ll need to make sure you stay that way.
For help with getting consent from your visitors, use the ShareThis Consent Management Platform. The tool allows transparency so that your visitors can decide what information they’re comfortable with you collecting.
As your business grows, GDPR may affect you differently, particularly if your business hires more than 250 employees. It’s crucial to continuously monitor your business and its compliance through regular auditing because the way in which you collect and process data may evolve.
Pulling in Help
GDPR can be confusing for any size business, but SMBs are at a particular disadvantage if they don’t already work with a legal team that can advise them on compliance with the law. Pulling in help from legal experts can set your business on the right track toward GDPR compliance.
GDPR carries a hefty fine if you’re caught being non-compliant. And the risks are greater for SMBs without the high revenue of larger companies. Currently, the fines are the greater of 2-4% of your annual company revenue or €10-20 million.
Err on the side of caution and seek the help of an attorney experienced in GDPR. Call around to a few of them and take advantage of a free consultation before deciding on the best fit for your business.